Addressing the cyber security needs of a business is a constant battle. But now, more than ever before, it is becoming harder to keep track of how the attack landscape is changing – particularly with respect to DDoS techniques.
At Arelion, we see a lot of traffic and it puts us in a unique position to share with the wider community what we are seeing and the trends that are emerging. We do this each year in our DDoS Threat Landscape Report, and this year’s report has been as surprising as any other.
As with previous years, DDoS attacks appear to reflect major geo-political challenges and social tensions and have become an increasingly significant part in the hybrid warfare arsenal. This was less centred on active conflict areas, moving towards global cloud centres. Conversely, in the rest of the world, Arelion observed lower Asia-US DDoS activity and fewer DDoS attacks to and from South America in 2022.
Here are some of the key trends that we saw in this year’s report.
Attack distribution rising
In 2022, peak attack traffic in Mega Packets Per Second (Mpps) was up 19% from 2021. This trend reflects overall Internet traffic growth but is also due to a continuing shift towards fewer, but more spectacular attacks.
Whilst there has been an increase in the number of large attacks (both in terms of bits and packets), our research reveals the vast majority of attacks are still small and mostly driven by free tier stress test or DDoS-as-a-Service attacks, instigated by amateur cybercriminals. We saw the biggest increase in the 5-20 and 20-50 Gbps attack ranges – mainly through DNS and NTP attacks, but also memcache due to the method’s high amplification factor.
In part thanks to the industry wide anti-spoofing initiative, the DDoS Traceback Working Group, the number of DDoS attacks on Arelion’s global backbone decreased by over 30% in 2022 – with 50% fewer attacks directed towards customers. This is truly a huge step forward and should be similarly reflected in other global backbone networks that are part of the initiative.
The DDoS battlefield
There was a greater concentration of DDoS activity in Europe during 2022 – most likely as a consequence of the ongoing war in Ukraine. As the Ukrainian authorities sought safe harbour for their digital state registries and databases, the distribution of attacks moved away from active conflict areas and into global cloud centres. This was a consequence of both damage to national network infrastructure and the strategic migration of local databases and applications into the cloud.
A different approach was taken by countries not under direct physical attack. Here, greater local reinforcement of in-country IT infrastructure resulted in more local attacks. The divergent approaches towards national-level attacks can be summarised as: ‘distribute’ or ‘defend’.
The DDoS arms race
Overall, the number of DDoS attacks decreased by a 1/3 in 2022 – with 50% fewer attacks towards our customers. Even when the extraordinary 2021 pandemic traffic spikes are discounted, there was a dramatic reduction in DDoS activity within our network by the end of the year.
Although this doesn’t necessarily reflect the situation in local networks, the lower global backbone impact was largely due to an industry wide anti-spoofing initiative – the DDoS Traceback Working Group.
Generally, we are seeing a more decisive response by network and IT infrastructure owners to cyber threats, and they are gradually starting to fight back – through better cooperation and by closing the inherent weak spots in the network that cybercriminals have exploited for so long.
The DDoS Traceback game changer
During 2022, we started working together with a number of other major backbone networks in the DDoS Traceback Working Group, an initiative to actively track spoofing-friendly networks, and by encouraging customers to implement anti-spoofing mechanisms and/or shutdown bad client networks. Spoofing is a key component of the amplification/reflection attacks that we’ve seen in recent years. This work proved to be effective and has made it much more difficult for the DDoS attack providers (Stresser/Booter services) to operate.
While this has resulted in a drop in the overall number of attacks, we are seeing an increase in direct-path attacks from botnets – albeit it to a lesser extent. These are more expensive to purchase since bots are a valuable asset for cyber criminals and if exposed, they risk being shut down when used extensively. Also, proxies are being used more – as a smoke screen to protect the bots from being exposed.
Vigilance is key
These findings reinforce the need for a basic level of customer protection to mitigate the abundant smaller attacks, together with a solid insurance policy for the larger ones. Thankfully we are seeing a power-shift in the DDoS arms race: there is now a more decisive response by network and IT infrastructure owners to cyber threats, and they are gradually starting to fight back with better cooperation and by closing the inherent weak spots in the network that cybercriminals have exploited for so long. But this is not a time to relax, those launching cyber attacks will be looking for new ways to be successful and we must all stay vigilant.